Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.

Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.

OWASP Orange County

Welcome to the Orange County chapter homepage. Let by the co-presidents Neil Matatall, Rob LaViolette and Shong Chong

funds to OWASP earmarked for Orange County. Click here to join the local chapter mailing list.

Participation

OWASP Foundation (Overview Slides) is a professional association of global members and is and open to anyone interested in learning more about software security. Local chapters are run independently and guided by the Chapter_Leader_Handbook. As a 501(c)(3) non-profit professional association your support and sponsorship of any meeting venue and/or refreshments is tax-deductible. Financial contributions should only be made online using the authorized online chapter donation button. To be a SPEAKER at ANY OWASP Chapter in the world simply review the speaker agreement and then contact the local chapter leader with details of what OWASP PROJECT, independent research or related software security topic you would like to present on.

Samy Kamkar has lectured on computer security issues in over a dozen
countries, and his work has been featured on the front page of the New
York Times. As a grey-hat hacker, he makes and breaks computer
security for tech companies. In addition to his independent security
research, he co-founded Fonality, an IP PBX company.

Jim Manico

Back to Basics: Defensive Coding Principles for Web Development 101

The application security community is in deep need of prescriptive
solutions for developers. This talk will review the world of Web
Application Security from a "builder" point of view, focusing on
critical controls that all developers must master if they wish to build
low risk web applications today.

Bio:

Jim Manico is the chair of the OWASP Connections committee where he
focuses on producing and hosting the OWASP Podcast. Jim also is a
co-manager of the OWASP ESAPI Open Source project. Professionally, Jim
is an independent application security architect specializing in the
construction of low-risk web applications. Jim is also an application
security educator and assessment specialist.

Edward Bonver
Talk Title:

Threat Modeling at Symantec

Abstract:

Threat Modeling is one of the most important security activities that a development/QA team needs to perform as part of a Security Development Lifecycle. This activity allows the team to build a complete security profile of the system being built. Threat Modeling is not always easy to get going for a team that has little or no security experience. In this presentation we’ll take a look at why Threat Modeling is so important; we’ll explore the process behind it, and how the process is being implemented and followed across Symantec.

Bio:

Edward Bonver is a principal software engineer on the product security team under the Office of the CTO at Symantec Corporation. In this capacity, Edward is responsible for working with software developers and quality assurance (QA) professionals across Symantec to continuously enhance the company’s software security practices through the adoption of methodologies, procedures and tools for secure coding and security testing. Within Symantec, Edward teaches secure coding and security testing classes for Symantec engineers, and also leads the company’s QA Security Task Force, which he founded. Prior to joining Symantec, Edward held software engineering and QA roles at Digital Equipment Corporation, Nbase and Zuma Networks.

Edward is a Certified Information Systems Security Professional (CISSP) and a Certified Secure Software Lifecycle Professional (CSSLP). He holds a master’s degree in computer science from California State University, Northridge, and a bachelor’s degree in computer science from Rochester Institute of Technology. Edward is a Ph.D. student at NOVA Southeastern University.

The shuttle runs until 10:45PM. The shuttle costs $1 per ride, but fees are rarely collected ;)

Title: Do VLANs allow for good application security?

Virtual Local Area Networks (VLANs) are not a new concept, and can help
any organization better control network access. I will present some of
the previous issues identified, what was the root cause, and how these
have been fixed in current technology. In addition we will talk about
how this can help to enhance security in your environment, and what
controls must be in place in order to implement such an environment. We
will also touch on how this can complicate your application environment,
but improve overall security.

I will touch on the controls that need to be reviewed and audited when
working with VMware, VLANs, and web applications, to ensure that these
networks are secure, and what to look for to potentially pass audit
criteria. I will also talk about where and how these controls have been
implemented in order to protect thousands of users while accessing one
of the most hostile networks in the world.

David M. N. Bryan
Senior Security Consultant

David has over 9+ years of computer security experience including,
consulting, engineering and administration. He has performed security
assessment projects for health care, nuclear, manufacturing,
pharmaceutical, banking and educational sectors. As an active
participant in the information security community, he volunteers at
DEFCON where he designs and implements the Firewall and Network for what
is said to be the most hostile network environment in the world.

He is also an active participant in the local Minneapolis security
groups both as a board member of OWASP MSP and DC612. His roots and
experience come from working for a large enterprise banks, designing and
managing enterprise security systems. In the more recent years he has
been working as an Information Security Consultant to review the
security and architecture of information computing environments.

Title: Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications

As the line between desktop and web applications becomes increasingly blurry in a web 2.0 world, browser functionality is being pushed well beyond what it was originally intended for. Persistent client side storage has become a requirement for web applications if they are to be available both online and off. This need is being filled by a variety of technologies such as Gears (formerly Google Gears) and the Database Storage functionality included in the emerging HTML 5 specification. While all such technologies offer great promise, it is clear that the vast majority of developers simply do not understand their security implications.

Researching a variety of currently deployed implementations of these technologies has revealed a broad scope of vulnerabilities with frightening implications. Now attackers can target victims not just once, but every time they visit a site as the victim now carries and stores the attack with them. Imagine a scenario whereby updated confidential information is forwarded to an attacker every time a victim interacts with a given we application. The attacker no longer needs to worry about timing their attacks to ensure that the victim is authenticated as the victim attacks himself! Limited storage? Cookies that expire? Not a problem when entire databases are accessible with virtually unlimited storage and an infinite lifespan. Think these attacks are theoretical? Think again. In this talk we dive into these technologies and break down the risk posed by them when not properly understood. We will then detail a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.

Bio

Michael SuttonVice President, Security Research – Zscaler

Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company. Zscaler Labs is responsible for researching emerging topics in web security and developing innovative security controls, which leverage the Zscaler in-the-cloud model. The team is comprised of researchers with a wealth of experience in the security industry.

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics where, as an industry expert, he was responsible for researching, publishing and presenting on various security issues. In 2007, SPI Dynamics was acquired by Hewlett-Packard. Previously, Michael was a Research Director at iDefense where he led iDefense Labs, a team responsible for discovering and researching security vulnerabilities in a variety of technologies. iDefense was acquired by VeriSign in 2005. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media on various information security topics, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerability Discovery, an Addison-Wesley publication.

Wednesday, October 14th 2009

This is a restaurant/bar with plenty of seating, but room for a projector is out of the question so this would be an informal round table discussion.

I have a presentation I'm working on regarding WAFs and Vulnerability Assessment Tools. If it pleases the group, I'd love to go over the presentation and discuss everyone's experiences. Also, it's a great way to get feedback :)

Apr 30, 2009 6:30PM-8:30PM

Our fourth OC OWASP meeting will be an informal, roundtable discussion of current application security issues. Feel free to bring some ideas, code, slides, etc to contribute to the discussion. Hope to see everyone there!

Feb 19, 2009 6:30PM-8:30PM

Come talk application security at the third OWASP OC meeting. We'll discuss current application security topics and chapter issues over pizza. We have a room booked for 15-20 people so we'll be able to rant without disturbing the patrons :) See you there! Presentation Slides

Aug 27, 2008, 7 PM - 9 PM

Come meet up with web security professionals, have some pizza, and offer your thoughts for the direction of the OC chapter at our inaugural meeting! We are looking for speakers and venue sponsors for the next meeting. If you are interested, please contact the chapter leaders. Everyone is welcome to join us at our chapter meetings.

2008 Upcoming Events

Call for Papers (CFP) is NOW OPEN ~ to submit educational topic for upcoming meeting please submit your BIO and talk abstract via email. When accepted it will be required to use the following powerpoint OWASP Template To sponsor or host a upcoming event in Orange County please contact one of the board members below via email from more information.